from the now,-where-did-they-get-that-idea? dept

One of the most shocking revelations from the Snowden documents was that the NSA and GCHQ are running "man-in-the-middle" (MITM) attacks against Google -- that is, impersonating the company's machines so as to snoop on encrypted traffic to them. They are able to do that through the use of secret servers, codenamed Quantum, placed at key places on the Internet backbone, which therefore require the complicity of the telecom companies. Of course, in countries like China, arranging for Internet streams to be intercepted in this way is even easier, so perhaps the following story on greatfire.org should come as no surprise:

From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country's education network, were receiving warning messages about invalid SSL certificates. The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.

Greatfire.org's analysis of why China is using MITM attacks against Google on the education network, rather than simply blocking access completely, is particularly interesting. The problem for the Chinese authorities is that Google has now implemented HTTPS by default:

Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers -- not what that data is. This in turn means that the authorities cannot block individual searches on Google -- all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.

The reason is that access to Google is simply too important for the research community in China. Blocking Google entirely would therefore be counterproductive for the country's future:

The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason.

The MITM approach offers the perfect solution: it allows researchers to get most of the benefit of Google's huge Internet index, but can be used to block selective search queries or results when people try to access sites or information that Chinese authorities want to censor. As the Greatfire.org post suggests, the increasing use of encrypted connections for online services means that MITM attacks are likely to become much more common -- and not just in China.

from the permanently-offline dept

While there has been blissfully only minor advancement in the US about the non-existent disease known as "internet addiction", the same can't be said of certain other countries. South Korea has a version of it, which mostly involves shutting down online video games for a certain portion of the day. But the real mover and shaker in this made up land of dependency is China, where six hours online a day makes you an addict (someone tell my employer!) and they've actually gone so far as to create internet addiction "camps" where people learn to eschew cat videos, Facebook posts about food, and ostensibly the news posted online that they're probably being horribly abused at that very camp.

Earlier this year in May, LingLing passed away in a hospital in Zhengzhou, Henan province. It was reported by the Chinese media that she actually died before reaching the hospital. LingLing was reported to be attending Zhengzhou Boqiang New Idea Life Training School. While at addiction camp, LingLing was singled out by her instructors. She was reportedly taken to "extra" lessons on more than one occasion. According to another girl that attended the addiction camp, LingLing was singled out. According to the media and government reports, LingLing was beaten and dropped onto hard surfaces. The Zhengzhou coroners office reported that LingLing died from extreme head trauma.

I guess I'm not really certain what picture I had in my head when I imagined an internet addiction camp, but it sure as hell didn't involve young women getting their brains beaten so badly that they expire. Also, that hundred-and-twenty-large seems a little light, considering the horror this family had to go through after being duped into believing such an internment was necessary to begin with. It all sounds worse when the report goes on to state that incidents of abuse have happened at these camps several times before as well.

So, while the "camp" in question, the one that essentially murdered a young girl, has had its license revoked, Chinese parents are going to have to start asking themselves which is more dangerous: "internet addiction" or the camps that purport to fix internet addiction.

from the not-so-secret-anymore dept

A few years back, Microsoft trumpeted a series of high-profile licensing deals with manufacturers of smartphones and tablets whose Android-based products, it claimed, were infringing on its patents. As we pointed out, the deals proved nothing about the validity of that claim -- just that Microsoft and the companies concerned had come to some mutually-acceptable arrangement, of which nearly all details were kept secret. In particular, Microsoft refused to reveal which of its many patents it claimed were infringed upon by Android. This allowed it to point to the licensing deals as "proof" that Android was infringing without ever actually needing to demonstrate that in the courts. It could then go to other manufacturers and encourage them to sign up too, which of course strengthened its story yet further for the round of negotiations after that.

Unfortunately for Microsoft, China has just put a stop to that clever, self-sustaining approach by revealing the patents involved. Microsoft was required to list them as part of the approvals process by the Chinese Ministry of Commerce (MOFCOM) for the US company's acquisition of Nokia. As Ars Technica explains:

A list of hundreds of patents that Microsoft believes entitle it to royalties over Android phones, and perhaps smartphones in general, has been published on a Chinese language website.

The patents Microsoft plans to wield against Android describe a range of technologies. They include lots of technologies developed at Microsoft, as well as patents that Microsoft acquired by participating in the Rockstar Consortium, which spent $4.5 billion on patents that were auctioned off after the Nortel bankruptcy.

More specifically:

The Chinese agency published two lists on a Chinese-language webpage where it laid out conditions related to the approved merger. The webpage has an English version, but it doesn't include the patent lists. There's a longer list [MS Word Doc] of 310 patents and patent applications and then a shorter list [MS Word Doc] of just over 100 patents and applications that MOFCOM focused on.

Doubtless lawyers at many companies with products using Android are busy poring over those lists, which include US patent numbers as well as titles in English. At the very least, the release of these lists will make Microsoft's attempts to sign up new licensees much harder, since now companies will know exactly what Microsoft is claiming in this regard before they enter into any negotiations. Moreover, it's good news for the open source community, which is able to examine what claims Microsoft might be making about the free software elements of Android, allowing those to be challenged with prior art, say, or coded around.

But there's another important aspect here. Microsoft had managed to keep the lid on its secret anti-Android list of patents for many years. What changed things was the emergence of China as a sufficiently important market that the US company felt obliged to accede to the Chinese government's demands for a full list of the patents involved. The publication of the patent lists on the MOFCOM Web site is an indication that China will play by its own rules here, even -- or perhaps especially -- when it is dealing with what was once the world's most powerful computing company.

from the we're-number-1! dept

With all the recent talk about Chinese censorship in relation to the 25th anniversary of the Tiananmen Square massacre, there was a very interesting interview on NPR's Fresh Air with Evan Osnos, who spent eight years in China, and has recently written a book about that "explores the tensions between China's rapid expansion and economic opportunity, and its enduring commitment to authoritarian rule." The book is called Age of Ambition: Chasing Fortune, Truth, and Faith in the New China, and the interview about it is fascinating for a variety of reasons. However, one tidbit stood out: how China totally revamped their propaganda system, modelling it after the US PR industry.

There was a point right after the demonstrations at Tiananmen Square when the party realized, you know, our propaganda is not working, otherwise all these young kids wouldn't have come down to the middle of the capital and held demonstrations for weeks and weeks. And in fact, for a time, they talked about getting rid of the propaganda system completely. And instead they did they opposite, and they doubled down on it.

And what they said was, we need to become much more sophisticated about how we conduct what's known as Chinese as thought work. And so they began to study the masters, really. They began to study the United States and the origins of public relations culture. So they went back and they actually - if you look in the textbooks for Chinese propaganda officials today, some of the things that they cite are the success of Coca-Cola. They say, if you can sell sugar water in effect to people, well, then we can sell anything at all.

They also looked very admiringly at the way that the Bush administration dealt with the press in the run-up to the war in Iraq. They think this is an example of a successful relationship with the press. They also look at the way that Tony Blair's government in Britain handled the media around the issue of mad cow disease. And so there's been this real effort to study what's been done in the West and to take from it the best attributes - or at least the most efficient and effective attributes of the free-market public relations industry.

Yes, congratulations to Judith Miller and the NY Times! You're now the very model for how China runs its propaganda operations. Oh, wait, did I say "propaganda"? I meant, "PR." Even China has changed the name of its propaganda department. Osnos talks about this a big building in the center of Beijing, where there are no signs, and no one will tell you what goes on in there. But it houses the Central Propaganda Department. Or it did. Until they changed the name.

So a few years ago, they actually changed the name of the Central Propaganda Department in English. They changed it to the Central Publicity Department. But I've always found it ironic that the Central Publicity Department has no sign and no address.

from the it's-not-working dept

We all know that China and their "Great Firewall" of censorship exist and we have a general idea of just how deep the censorship goes. We're also aware of the justifications that the Chinese government use for this censorship, including the notions that they're just protecting their innocent citizens from all the evil on the internet, as well as censorship committed by some of their antagonists (including the USA). But if you thought that this censorship was chiefly about pornography or current events, you're quite mistaken.

Take this fascinating piece about how China has attempted to disappear all reference to the 1989 incident in Tiananmen Square, which took place 25 years ago this week. The incident that culminated in hundreds of protesting students murdered on their own soil for the crime of wanting reforms within the communist government has been so thoroughly wiped from access that many young Chinese students aren't even aware it had ever happened.

In an example of George Orwell's "1984" dictum that "who controls the present controls the past", it reflects both the ruling Communist Party's immense power and its enduring sensitivity about its actions on June 3-4, 1989. A third of China's population today was born afterwards, while many of those alive at the time hesitate to broach the sensitive topic -- leaving a huge swathe of those under 25 ignorant of the event.

"I don't know what you are talking about," a 20-year-old student at Peking University, one of China's most prestigious, told AFP when asked about the protests, looking slightly embarrassed.

We're not just talking about the internet, of course. China heavily censors their news, print media, literature, movies and music as well. And, for all the talk about protecting their people from the ills of the outside world, one result of all this censoring is that young, educated Chinese citizens don't even know the history of their own nation. It's quite obvious, as it always has been, that censorship in China has much more to do with protecting the Chinese government than it ever had to do with protecting the citizens.

Not that the censorship is 100% effective, of course.

Web users find workarounds such as "May 35", "63 plus 1" or homonyms of banned words, though they too are eventually blacklisted.

"They are basically a mark of commemoration, like lighting up a candle somewhere even if no one understands what the reference is," said Jason Ng, a University of Toronto research fellow and author of "Blocked on Weibo".

This is a good thing, but almost besides the point. When censorship is so bad that a nation's own citizens don't even know that a major national event occurred merely twenty-five years previously, you see the real evil in censorship. Should this cause those of us that live in a climate with more liberty to try to push for liberty for our brothers and sisters in China? Sure. But even more than that, it should make us all the more vigilant against even the smallest encroachments on our own free speech rights, particularly any attacks on our newest communications tools, such as the internet. Otherwise, we, too, may find that our children won't know their own history.

This is not a surprise to knowledgeable observers. Chinese attacks on large U.S. law firms have been widely acknowledged, and last summer the American Bar Association condemned “unauthorized, illegal intrusions into the computer systems and networks utilized by lawyers and law firms.” But the ABA flinched from actually mentioning China or the PLA in the resolution…

When the DOJ made a lot of ridiculous noise with its indictment, it only managed to further highlight the double standard the US deploys in its foreign relations. The NSA's hacking of Huawei's servers went unmentioned, as well as its numerous interception programs (both for hardware and communications) currently in place worldwide.

Baker believes the ABA's silence on China's hacking efforts is hypocritical in light of its letter to the NSA on the subject of attorney-client privilege. This letter was the result of another leak that showed the agency had offered a solid "whatever" when an Australian intelligence agency informed the NSA that it was listening in on privileged communications between Indonesian clients and American lawyers. Baker pretends to cede some ground on the ABA's complaint before arriving at his supposedly damning "point."

Fair enough. But it’s now been three days since we saw a much more direct accusation that the PLA was spying on privileged attorney-client communications in the US.

Who’s taking bets on whether the American Bar Association will be as quick to call out the Chinese government as it was to call out its own?

This is Baker's knockout punch, apparently, one that only manages to come within several inches of its target.

Of what possible use would it be for the ABA to call out the Chinese army? Even if US attorney communications were being intercepted, there's very little the Association could hope to accomplish with a strongly-worded letter. As the NSA's defenders often point out, foreigners are not provided with the same protections as natural citizens. The same undoubtedly goes double for China, which isn't exactly extending a great deal of rights to its own citizens.

Sure, the ABA could make a lot of noise about Chinese spying, but limiting its complaints to an agency of its own government makes more sense. Baker seems to want Americans to be more offended by something everyone expects the Chinese government to be doing, rather than by their own government doing things they never would have expected.

Baker also seems to be childish enough to believe that pointing out the wrongdoing of others somehow excuses the wrongdoing of the agency he's defending. This is particularly galling considering how often the NSA reminds world citizens that they simply aren't protected by US law and that their communications and data are fair game. The ABA addressed the real issue -- spying on communications historically awarded confidentiality by US statutes -- and the real problem in its letter. Its silence on the issue of Chinese spying isn't hypocrisy. It's reality. By petitioning its own government, it was able to have its complaint addressed. Complaining about China would be nothing more than angrily yelling into the void. The DOJ doesn't mind being greeted with little more than faint echoes, but those on the outside of government agencies aren't going to be nearly as reassured by the sound of their own reflected voices.

from the bunnie-was-right dept

Techdirt has been keeping an eye on the world of "shanzhai" companies for a while now. The term originally meant those places in China that were outside government control, and so, by extension, it referred to Chinese outfits specializing in counterfeit goods. But shanzhai companies are moving on, as this fascinating piece in The Atlantic makes clear:

Shanzhai used to refer to knock-off retail, and later end-consumer electronics, such as mobile phones of major brands like Nokia, Motorola and Ericson, often specifically designed for non-Western markets in China, South East Asia, South America, the Middle East and Africa. The ecosystem grew rapidly and by 2010, it was producing 200 million phones annually and was responsible for a quarter of the global mobile phone market. Since then, the shanzhai ecology has moved beyond cloning and enabled a wealth of iterative innovations including dual-SIM for frequent travelers to avoid roaming charges, seven-speaker phones for workers to listen to music at construction sites, and custom-designed phones for migrant populations unable to afford the latest smartphone.

Alongside those areas, here's an example of what's happening in the currently-fashionable sector of smart watches:

WPI [the Taiwanese electronic sourcing company World Peace Industrial] and other solution houses create gongban [standard circuit boards], which provide common electronic functions including Bluetooth connectivity to mobile phones, and sensors to measure the wearers' movement, as well as monitor heart rate and other vital bodily statistics. These gongban are designed to fit into a variety of gongmo [standard cases] that are ready to be branded on order. The flexibility to mix and match gongban and gongmo enable companies to quickly put together their own smart watches with customized functions and styles for various niche markets. Today, customers of WPI ship close to 100,000 smart watches per month.

That is, the shanzhai system is starting to adopt a highly-flexible approach that allows customized products to be designed and manufactured extremely quickly from sets of standardized parts. This has much in common with free software's modular developmental methodology, and next-generation shanzhai companies are also borrowing open source's business models:

That is, WPI gives away the basic designs to encourage their uptake, and then makes money from supplying the large open ecosystem that it creates by doing so. As Andrew "bunnie" Huang predicted, China's shanzhai sector has moved on a long way from simply copying, and is now innovating in multiple ways that industries in other countries could usefully learn from.

from the really-winning-fans-here dept

Earlier this week, we wrote about the DOJ filing an indictment against some Chinese hackers who are a part of the People's Liberation Army. We found the situation rather ironic, given all that the NSA has been accused of on the cyberespionage front these days. We also found the whole thing to be incredibly counterproductive as it wouldn't do a damn thing to stop Chinese hacking, but would likely lead to other countries filing criminal charges against NSA hackers.

What was particularly crazy was the DOJ's smug announcement about how it finally had "proof" of Chinese hacks, naming some specific companies which had been hacked. In theory, the DOJ thinks it's helping to protect those businesses, but the reality may be the opposite. It appears that the DOJ may have just created a massive headache for those companies, as they may be facing probes and possible shareholder lawsuits about failures to disclose the hacks to investors. It's not entirely clear they needed to do so -- and the companies insist they revealed all material information -- but from the article, it's clear that class action lawyers will eat this one up and file expensive and wasteful lawsuits.

“The question is would an investor have cared if Chinese hackers broke into a company and were messing around the place?” Jacob Olcott, a principal focusing on cybersecurity at Good Harbor Security Risk Management LLC in Washington, said in a phone interview. “As an investor, show me the evidence that you reviewed this thoroughly.”

So, not only did these companies -- Alcoa and Allegheny Technologies Inc. -- get hacked in a way where it's unlikely that any criminal charges will catch the folks who did the hacking, those same companies may face another legal headache over the failure to reveal they got hacked by the Chinese. So exactly whom is the DOJ helping here?

from the what-is-the-point? dept

We already wrote about the DOJ's "ironic" decision to file criminal charges against Chinese hackers. Soon after that the actual indictment was released and it's more or less what you'd expect. While the DOJ's extremely smug announcement about the indictment made it sound like it would amaze the public, the reality is that it just describes some fairly standard spearfishing attempts to seek out information from some big American companies. It's clearly illegal, but it really doesn't seem that impressive, especially given everything that's been revealed about the kind of attacks the NSA pulls off.

And, in fact, people are already pointing out that by firing the opening shot with criminal charges, the DOJ may be opening the floodgates against the NSA, FBI and others for similar charges in other countries. Obviously, China will almost certainly hit back with charges -- possibly even trying to arrest some folks in that country. But the ridiculousness of the situation may also lead other countries to levy charges against specific individuals within US intelligence -- thereby making life a lot more difficult for US intelligence officials in the near future.

So, the downside to this indictment seems fairly high. And for what upside? It's difficult to see any real upside. The US is clearly never going to get its hands on the specific individuals named in the indictment. China certainly isn't going to hand them over. And for all of the DOJ's bluster about finally having "proof" of criminal activity, no one is that interested. Everyone already knew the People's Liberation Army did this kind of hacking. Instead, the only real impact of this indictment seems to be the backlash, as people compare it to the lengths that US intelligence has gone to to spy on the rest of the world (including the Chinese).

In the end, the whole thing seems incredibly tone deaf on multiple levels. It calls more attention to questionable US activities, opens up US intelligence employees to criminal charges around the world, and does nothing to harm the Chinese. Doesn't anyone at the DOJ think these things through?

from the hey,-look-over-there! dept

Even as more and more examples of questionable surveillance by the US government are revealed, the US is apparently still trying its "hey, look over there!" strategy in response. This morning, Attorney General Eric Holder is announcing that the US has filed meaningless criminal charges against members of the Chinese military for economic espionage done via the internet.

Of course, there's no chance of any actual prosecution happening here. If anything this is all just a bit of diplomatic showmanship. In fact, I wouldn't be surprised to quickly see China respond in kind with "criminal charges" being announced against folks from the NSA for the various spying that they've done on China. US officials will, as they always do, insist that what the People's Liberation Army does is "different" because it's economic espionage, in which the Chinese army breaks into networks from certain industries and companies, and shares the details with Chinese companies. The US does not appear to do the same thing directly, though there are indications of indirect economic espionage (i.e., spying on companies to then inform general US policy that might help US companies). The Chinese have (quite reasonably) questioned how there's a legitimate distinction between the different kinds of espionage.

Either way, at a time when the US is under intense scrutiny for its questionable espionage efforts, including installing backdoors into US networking equipment (which is what they've accused the Chinese of doing repeatedly, despite no actual evidence), filing criminal charges against the Chinese for cyberspying... just looks really sad. It stinks of hypocrisy.